From 1e92e5fdaab833000d6d3a4f6756cb677cb7899e Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Thu, 11 Feb 2016 13:44:00 -0800 Subject: [PATCH] update cap-add docs for seccomp Signed-off-by: Jessica Frazelle --- docs/reference/run.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/reference/run.md b/docs/reference/run.md index cab6098ce8..ba2fc2d918 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1059,6 +1059,14 @@ one can use this flag: --privileged=false: Give extended privileges to this container --device=[]: Allows you to run devices inside the container without the --privileged flag. +> **Note:** +> With Docker 1.10 and greater, the default seccomp profile will also block +> syscalls, regardless of `--cap-add` passed to the container. We recommend in +> these cases to create your own custom seccomp profile based off our +> [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json). +> Or if you don't want to run with the default seccomp profile, you can pass +> `--security-opt=seccomp:unconfined` on run. + By default, Docker containers are "unprivileged" and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a